Mac OS vulnerability exploited by poker Trojan

It's IT Blogwatch: in which we worry about an exploited Mac OS vulnerability. Not to mention Grand Theft Auto IV: the Naked Gun Edition...

Gregg Keizer reports:

Security researchers reported last week that they've spotted a Mac Trojan horse in the wild that could compromise machines running Apple Inc.'s Mac OS X 10.4 or 10.5. SecureMac, a Mac-specific anti-virus vendor, posted an alert last Thursday that its researchers had found a Trojan horse, dubbed "AppleScript.THT," being distributed from a hacker-operated site where discussions of spreading the malware via iChat, Apple's instant messaging and video chat software, were also taking place. The company classified the threat posed by the Trojan as "critical." The malware exploits a recently publicized vulnerability in the Apple Remote Desktop Agent (ARDAgent), part of Tiger's and Leopard's Remote Management component. Composed as a compiled AppleScript, or in another variant, script bundled into an application, the Trojan leverages the ARDAgent bug to gain full control of the victimized Mac. more

Chris Foresman adds:

A security flaw in ARDAgent, a component of Apple Remote Desktop, was publicized yesterday by security firm Intego, and now, Mac-centric security firm SecureMac is reporting that a trojan that exploits the flaw is currently in the wild ... Due to ARDAgent running as root, which allows it to run commands evoked via AppleScript as root. The trojan, available as both a compiled AppleScript and an application bundle, can allow a remote user complete control of your machine and can easily run undetected by open firewall ports and turning off logging ... There are a couple ways to keep the trojan from causing you headaches. First—and this is true of all trojans—don't download and run any suspicious software. Steve Hunter, a Mac admin and IT Coordinator at Purdue University, tells Ars that enabling Remote Desktop actually disables the vulnerability ... counterintuitively. more

The anonymous SecureMac gnomes write:

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root. The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items. more

Bonjour, Lionel de Macbidouille (et merci, Crispin):

Disguised as a game of poker under the name "PokerGame" , it hides a malicious script which will activate SHH on the target machine and will recover the identifiers and administrator password which will be then sent on a server. To encourage the person to deliver this information, it will pretend that there is a corrupted preference file and will ask to repair them. Strong with the knowledge of the IP of the target machine and its keys of access, a pirate will be able to take control, all of it at least if the machine is not behind a router on which the translations of ports have been made. As always be circumspect before returning your password administrator. more

Have you hugged Peter da Silva today?

Yes, this is a serious bug. It's a classic blunder, like getting into a land war in Asia, and is similar to the in NT3.51's scheduler to get LOCALSYSTEM rights, or the one in /bin/write in 2BSD to get a root shell ... I am about 99 44/100 percent sure that there's more undiscovered holes like this in OS X, Windows Vista, and any random Linux desktop you could name ... Security is like sex. Once you're penetrated you're ****ed. The biggest advantage that Apple has is that Safari doesn't (any more) have a mechanism (at least not by default) to blithely execute outside a *closed* sandbox (not a leaky one) any random malware that can convince it that it's safe and trusted. That's the biggest security problem Windows has ... It's harder to penetrate OS X in the first place... you pretty much have to depend on social engineering... and people CAN learn not to be social-engineered. more

And pandrijeczko agrees, with reservations:

But Apple have made exactly the same marketing mistakes that Microsoft did in selling their respective OSes as ones that can be used easily by people with no knowledge of computers - people still click on attachments they shouldn't, still give their passwords to phishing web sites and still don't install regular security updates and scan their PCs for virii. And in the case of this specific exploit, I am sure that a number of newbie Apple users would happily tap in osascript -e 'tell app "ARDAgent" to do shell script "whoami"' into their computers purely because "Jim The Friendly Computer Support Engineer" told them to do it. So let's not beat about the bush - ANY exploit that isn't fixed as quickly as possible is a problem because there's always at least one spotty teenager trying to become a HAX0R who is prepared to try his luck against some poor unwitting user. more

Jordy Rose has a suggestion:

If the exploit is active on your system, adding a key to ARDAgent's Info.plist makes the problem go away without disabling ARDAgent altogether. (Whether or not ARDAgent is a security vulnerability itself is another story.)

<key>NSAppleScriptEnabled</key>
<string>YES</string>

That "YES" is not a typo; setting it to "NO" does not fix the problem. AFAICT this makes osascript expect that ARDAgent will implement more of its own AppleScript handlers...which of course, it doesn't. more

And finally...

Buffer overflow:

Other Computerworld bloggers:

RSS feed icon
Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 21 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.

Previously in IT Blogwatch:

Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon